One Voucher Per Device
-
@wazim4u said in One Voucher Per Device:
captive portal users get message you are connected but there is no internet
See the 'other' thread that handles that subject.
See also here : https://github.com/pfsense/pfsense/pull/4042 the solution is in feedback stage. The patch can be imported 'official' (again, see other other thread for details how to do so).I advise you that you install this patch right away.
At least, you can edit your settings (do you have to edit your settings ?) without all connected users being thrown out.
Right now, after an edit you have to purge the connected user list - if you don't, connected users will hit the "You are already connected" text. -
This post is deleted! -
@Gertjan said in One Voucher Per Device:
Ok, great !
I updated these a week or so :
@Gertjan said in One Voucher Per Device:This is the new /etc/inc/captiveportal.inc file:
https://pastebin.com/V6uWHNz5
This is the new /usr/local/www/services_captiveportal.php file.
https://pastebin.com/QLhNhgAWI'll post back here when I make more edits.
@Gertjan this worked great for me, as i wanted, but one challenge i have, just one,,,, instead of one login per user, i wanted 2logins per user, so that a guest could log in with laptop and phone, after the two devices, every subsequent logins with the same credential will be dropped..
kindly guide me through if it is possible.. -
Using vouchers ?
Don't think so. That means changing the code - > more php editing in this case.But I'm doing exactly that right know at my work : a hotel.
Classic login users (not vouchers) - and a unique password for each room.
And freeradius, that limit just fine each user at 2 max logins. -
@Gertjan said in One Voucher Per Device:
Using vouchers ?
Don't think so. That means changing the code - > more php editing in this case.But I'm doing exactly that right know at my work : a hotel.
Classic login users (not vouchers) - and a unique password for each room.
And freeradius, that limit just fine each user at 2 max logins.@Gertjan , not for voucher, but usernames and passwords...almost same environment.. users can log in with room number and surname as username and password..... then vouchers can be for conference guests... where a particular voucher can be adjusted for the amount of conference participants
-
A voucher can be for one device or anyone with the code. There is no numeric limit that can be applied.
-
@Gertjan said in One Voucher Per Device:
Using vouchers ?
Don't think so. That means changing the code - > more php editing in this case.But I'm doing exactly that right know at my work : a hotel.
Classic login users (not vouchers) - and a unique password for each room.
And freeradius, that limit just fine each user at 2 max logins.@Gertjan would you mind sharing your progress and code when you successfully get it to work on 2 devices per user.. regards
-
No progress, no code needed.
As said, you need Freeradius. The package.
On the first user you declare in Freeradius, you add this in the advanced section :
All further user will use this setting : not more then 2 logins per account.
How to set up Freeradius ?
That's not a question. This thing is huge and needs to be studied. It's like a mail server or web server, there is no such thing as "a click here and click therr and your up".I advise that you start looking at the videos from Netgate on Youtube.
Not that it really matters, but I'm using a MySQL (Maria) DB server for the Freeradius storage needs. That just a choice, none is needed actually, Freeradius can also work with a flat file data base, stored on the pfSense drive.
-
This post is deleted! -
@Gertjan said in One Voucher Per Device:
No progress, no code needed.
As said, you need Freeradius. The package.
On the first user you declare in Freeradius, you add this in the advanced section :
All further user will use this setting : not more then 2 logins per account.
@Gertjan ...ok.. i have added this above line in the freeRadius, with option 3 (First sessions per username / voucher) selected in non concurrent login, but only one device can log in, the second device comes wit the error "reuse of id not allowed'
am i missing something?? -
@colleytech said in One Voucher Per Device:
the second device comes wit the error "reuse of id not allowed'
am i missing something??Ah, so you're using my code that changes somewhat the way how vouchers login :
- many
- only last
- only first
Right ?
You can't change that behavior, except if you are will to "play"with the code (PHP script).If you are willing to drop voucher usage, and step over to the classic user/password,
and
you use FreeRadius
then
you could have something like
" Simultaneous-Use := 3 "
(maximum 2 user per login now ) -
@Gertjan said in One Voucher Per Device:
@colleytech said in One Voucher Per Device:
the second device comes wit the error "reuse of id not allowed'
am i missing something??Ah, so you're using my code that changes somewhat the way how vouchers login :
- many
- only last
- only first
Right ?
You can't change that behavior, except if you are will to "play"with the code (PHP script).If you are willing to drop voucher usage, and step over to the classic user/password,
and
you use FreeRadius
then
you could have something like
" Simultaneous-Use := 3 "
(maximum 2 user per login now )@Gertjan your code works with freeRadius users, thats what i use it for.. i dont mind going without vouchers..
if you use the default pfsense php code, the simultaneous-use =3 will work, but it wil always disconnect the logged in user, to make way for the new login...
just like what your code is doing, stopping reuse of id without disconnecting the current user,, is there a way to achieve that with freeRadius.. whereby, after two devices logs in, the third one will be dropped, instead of the already logged in devices..
Regards -
you use FreeRadius
then
you could have something like
" Simultaneous-Use := 3 "
(maximum 2 user per login now )@Gertjan i am still battling with this... is there a way i could use this and stil not get my two connected devices disconnected when a third login attempt is done..
the goal is to get two devices per user, then a third login will be dropped instead of it, disconnecting an already connected device..thanks in advance
-
@colleytech said in One Voucher Per Device:
@Gertjan i am still battling with this... is there a way i could use this and stil not get my two connected devices disconnected when a third login attempt is done..
the goal is to get two devices per user, then a third login will be dropped instead of it, disconnecting an already connected device..That what's I'm doing right now. With FreeRadius.
Without it : I guess not. -
@Gertjan said in One Voucher Per Device:
@colleytech said in One Voucher Per Device:
@Gertjan i am still battling with this... is there a way i could use this and stil not get my two connected devices disconnected when a third login attempt is done..
the goal is to get two devices per user, then a third login will be dropped instead of it, disconnecting an already connected device..That what's I'm doing right now. With FreeRadius.
Without it : I guess not.@Gertjan ,
kindly indulge me, whenever i do it with freeradius, two devices will connect, but a third device attempting to log in will always disconnect one of the already logged in devices, thats what i am trying to avoid,,, if there is any additional setting or line of code to be added, kindly point me to it, -
@colleytech said in One Voucher Per Device:
whenever i do it with freeradius, two devices will connect, but a third device attempting to log in will always disconnect one of the already logged in devices
??
That's not my experience.The " Simultaneous-Use := 2 " statement will not allow a third login.
It doesn't kick out one of the two already logged in users.Example :
Room number (== uiser) 116 : 2 parents and 3 kids.
2 iPads, 3 iPhones, some Samsung device, a Kindle and some other wifi device (a portable PC ?).The first two logins for user "116" work fine, a third one get authenticated (same user = "116" and password) but gets thrown out a couple of seconds during the REAUTHENTICATION process : the max user threshold was reached.
-
@Gertjan said in One Voucher Per Device:
@colleytech said in One Voucher Per Device:
whenever i do it with freeradius, two devices will connect, but a third device attempting to log in will always disconnect one of the already logged in devices
??
That's not my experience.The " Simultaneous-Use := 2 " statement will not allow a third login.
It doesn't kick out one of the two already logged in users.Example :
Room number (== uiser) 116 : 2 parents and 3 kids.
2 iPads, 3 iPhones, some Samsung device, a Kindle and some other wifi device (a portable PC ?).The first two logins for user "116" work fine, a third one get authenticated (same user = "116" and password) but gets thrown out a couple of seconds during the REAUTHENTICATION process : the max user threshold was reached.
@Gertjan i must be missing something,,,
i have restored the box to factory and setup captive portal fresh, with no concurrent checked, and Simultaneous-Use := 3 placed in the freeRad user, i can get just one user connected, other subsequent users disconnects the first user "not what i want"..............no concurrent unchecked and Simultaneous-Use := 3 placed in the freeRad user, i can log in with multiple devices, "not what i want"
applying your patch to select
1.many
2. only last
3. only first
and Simultaneous-Use := 3 placed in the freeRad user, doesnt still get the job done,,,,
what can i post here for you to check -
@colleytech said in One Voucher Per Device:
applying your patch to select
1.many
2. only last
3. only firstThat patch has nothing to do with FreeRadius.
@colleytech said in One Voucher Per Device:
her subsequent users disconnects the first user "not what i want"..............
I have to check things tomorrow, when I'm on site.
Look at my image = log again.
See (bottom) the oldest login. Just above (log is reverse) some OTHER 116 user is disconnected ... etc. -
That patch has nothing to do with FreeRadius.
@Gertjan maybe u didn't test the patch,, that patch overrides every setting, anything u apply on freeRadius doesnt reflect, as far as the patch is there.. the patch is so powerfulI have to check things tomorrow, when I'm on site.
Look at my image = log again.
See (bottom) the oldest login. Just above (log is reverse) some OTHER 116 user is disconnected ... etc.@Gertjan please do,, i wil be so grateful if i accomplish my goal
-
@Gertjan said in One Voucher Per Device:
I have to check things tomorrow, when I'm on site.
@Gertjan , any luck?
-
This post is deleted! -
@Gertjan said in One Voucher Per Device:
Captive portal users get message you are connected but there is no internet
I was trying to apply this patch and I'm getting below error:
Patch can NOT be applied cleanly (detail)
Patch can NOT be reverted cleanly (detail)I can apply the patch by editing the below files,
src/etc/inc/captiveportal.inc
src/etc/inc/system.inc
src/usr/local/captiveportal/index.phpbut I'm using your version of 'src/etc/inc/captiveportal.inc'
What is the solution for this?
Thanks in advance
-
@rayyanthameem said in One Voucher Per Device:
I was trying to apply this patch and I'm getting below error:
Patch can NOT be applied cleanly (detail)
Patch can NOT be reverted cleanly (detail)So :
@Gertjan said in One Voucher Per Device:
See the 'other' thread that handles that subject.
See also here : https://github.com/pfsense/pfsense/pull/4042 the solution is in feedback stage. The patch can be imported 'official' (again, see other other thread for details how to do so).This thread handles an entire other issue.
-
@Gertjan Thanks for your help, I hope this is the patch I've to apply: https://patch-diff.githubusercontent.com/raw/pfsense/pfsense/pull/4042.diff
-
@rayyanthameem said in One Voucher Per Device:
https://patch-diff.githubusercontent.com/raw/pfsense/pfsense/pull/4042.diff
That's the one.
As you noticed, the patch can't be applied against a 2.4.4-p3 on your device.
This is because the actual version of pfSense on github is more recent (like a 2.4.4-p4) then the version you have (2.4.4-p3).
So, first, you have to retrieve from github the most recent files for :
/etc/inc/captiveportal.inc
/usr/local/captiveportal/index.php
/etc/inc/system.incThen the patch can be applied.
I using it right now :
-
@Gertjan said in One Voucher Per Device:
Here we go:
This is the new /etc/inc/captiveportal.inc file:
https://pastebin.com/V6uWHNz5Now I am using your version of 'captiveportal.inc'
Are you suggesting except 'captiveportal.inc' use everything els and apply patch?
-
@rayyanthameem said in One Voucher Per Device:
Now I am using your version of 'captiveportal.inc'
That won't (probably) work with the 4042 patch.
The issue of this thread, the "One Voucher use" is something different.
Because I didn't publish a patch on github (== a pull request) there is only one way to make my patch work : you have to distil yourself the modifications out of the two files mentioned above (the pastbin ones).I made a case-study of the issue because it pops up often : limiting a voucher to ONE device.
A fact is : when some one proposes a patch against github, the patch should be supported by the author during the entire implementation time and test phase.
I'm not using vouchers myself .... and lack the time to support such an issue. -
Basically, I want to fix both problems, I need to use the One voucher per device and also fix the 4042 issue.
by distil you mean to compare two codes and do the changes?
I've tried to do it, but there is some extra code in github version(Line 228). Please see the attached screenshot.
-
@rayyanthameem said in One Voucher Per Device:
by distil you mean to compare two codes and do the changes?
Exact.
@rayyanthameem said in One Voucher Per Device:
I've tried to do it, but there is some extra code in github version(Line 228). Please see the attached screenshot.
I advise you to take the latest version from github, include the patch "4042" and then, if you feel up to it, implement the voucher issue.
There are two patches :
Some updates for the GUI captive portal settings page :
https://pastebin.com/QLhNhgAWSeveral lines have to be taken from
https://pastebin.com/V6uWHNz5 ( /etc/inc/captiveportal.inc ) -
hi all,
i started this thread but now seems alot of people have same problem so i am requesting management to add this function one voucher per device or for two devices in official release.thanks @ajmaltms @Derelict @free4 @Gertjan @wazim4u @colleytech @rayyanthameem
-
@Gertjan Do you have the original captiveportal.inc file? then I can compare to your modification and do that modification in github version.
-
Noop.
The pastebin files are what's left.
I went back to version stock version. -
@rayyanthameem the stock 2.4.4-p3 file : https://github.com/pfsense/pfsense/blob/RELENG_2_4_4/src/etc/inc/captiveportal.inc
-
@free4 : you're probably right : I based my edits on that file / version 2.4.4-p3.
@rayyanthameem : a diff will tell you ^^ -
@Gertjan Failed!!.
Patch didn't load, the device was able to connect internet without the voucher, CP changes took longer to save.
in short multiple issues, not sure what is the problem.
Here is the modified version: https://pastebin.com/66y1UgZf
-
Tip :
The easiest file to edit / change first the https://pastebin.com/QLhNhgAW : the GUI web config page.
Search for 'noconcurrentlogins' occurrences in that file.
The only thing that changes in that file is that the state of 'noconcurrentlogins', it chances from
// $newcp['noconcurrentlogins'] = $_POST['noconcurrentlogins'] ? true : false;
= true or false
to true, false or multiple.
This is handled in several places, and easy to spot.
Test this one first. You can see in the GUI that it works : changing settings in the GUI can be tested using the 'viconfig' command : you should see the state of (noconcurrentlogins) in captive portal settings page.
-
@Gertjan said in One Voucher Per Device:
caveat
I would like to know if you have some latest development on your patch ( one voucher per device ) for 2.5.0 version. I have taken risk to use 2.5-Development version for captive portal service up to 2200 user with voucher system. testing service is running for one week and so far there is no issue and all issues i was facing like reboot system or changing setting in 2.4.4-p3 captive portal gone... made life easy for me. i have implemented your patch again to lock user with first login. It is working fine since 1 week. with a little bit of issues so far which i think fixable.
1-when you try to login again with already active voucher it gives error page in two forms field. one is giving notice ( reuse of authentication not allowed ) and second form ( voucher expired ) it should be only first one in this case.
2- Secondly it should be MAC based authentication not MAC & IP. if someone add voucher and his lease is changed from 1.1.1.1 to 2.2.2.2 he will not able to login again even MAC ( device ) is same. this is major problem at the moment.
3- Getting some crash error but doesn't effect captive portal operation.
non numeric-value encountered in etc/inc/captiveportal.inc on line 1955
-
@wazim4u said in One Voucher Per Device:
1-
These two 'error' screen show one after the other ?
2
I guess I understand. When a device comes back, and its original DHCP lease is already reused - re assigned - to another device this happens. The MAC/IP pair will be different.
Simple solution : make the DHCP lease pool size for the portal really big.
Furthermore, the portal_allow() function scans over the connected user database using this selection criteria :/* read in client database */ $query = "WHERE ip = '{$clientip}'";
which implies that the IP should be the same ...
( change this to {$clientmac} and see what happens ^^)3 ....
You changed the etc/inc/captiveportal.inc file so I don't know what is this '1955' line is doing.
Can you show some code on that sport ? -
@Gertjan said in One Voucher Per Device:
$clientmac
1- Yes it comes side by side on Desktop like the image and on mobile view it comes up and down.
2- DHCP lease already one month. do you want me to make it more ? that's first solution secondly the option you have given to change client ip query to client mac. this option is in two places which one to change if you can please guide i will test and let you know.
A:
/* read in client database */ $query = "WHERE ip = '{$clientip}'"; if (isset($config['captiveportal'][$cpzone]['noconcurrentlogins'])) { $tmpusername = SQLite3::escapeString(strtolower($username)); $query .= " OR (username != 'unauthenticated' AND lower(username) = '{$tmpusername}')"; } $cpdb = captiveportal_read_db($query);
B:
/* read in client database */ $query = "WHERE ip = '{$clientip}'"; $cpdb = captiveportal_read_db($query); foreach ($cpdb as $cpentry) { return $cpentry; }
3- I didn't change anything in code for reference i will give 1955 image attached below.
-
Hummmm.
See https://pastebin.com/V6uWHNz5 - that's the file, right ?
Convert line 2353 and 2370 into comments (put a // at the beginning of the line ).DHCP pool size, not lease size.
Bigger pool means : leases will be recycled less faster == more chance that the same device gets the same IP when it reconnects.For A: that one, yes.
Not B : you'll be changing the behaviuour that that function ( function captiveportal_isip_logged($clientip) ) and you'll break things.$ridx +=2 is a very classic numerical expression for "add 2 to $ridx". Also, $rdix is set to "2000" up front, which is also a number - at least, last time I checked, it was.
So, yournon numeric-value encountered in etc/inc/captiveportal.inc on line 1955
scares me ....
You're running out of place for the dual rules (env ( 64500-2000) / 2 ) or 31250registred "logged in user" rules .... ???
You should see log messages like "Zone: {$cpzone} - WARNING! Captive portal has reached maximum login capacity"